SAN FRANCISCO– Credit unions have a “fishing problem,” and the key to catching more fish lies in enterprise risk management (ERM)—and reinvigorating the role of the supervisory committee, according to one person.
“Lots of credit unions have already overfished their existing ponds,” said Ancin Cooley, principal with Chicago-based Synergy Credit Union Consulting. “They have aging memberships and only learned how to fish a certain way with certain types of risk. They are going to have to learn different ways to fish and how to fish in a different environment. They are going to have to learn how to go from fishing in a pond to fishing in the ocean. Managers may not be up for it, and directors need to get up to speed on how to manage that kind of risk.”
And what all of that means, Cooley told NASCUS’ State System Summit, is credit unions “need to get up to speed on what an ERM can do.”
What Is ERM?
So what is ERM?
“It’s about coverage,” said Cooley. “It’s about the capability to effectively answer numerous questions. The first question: how much risk are we willing to take and how good are we at overseeing risk-taking? One weakness in credit unions is governance. It’s about the board knowing what their lane is and management knowing what their lane is. When the line in the sand isn’t drawn, we have management erosion; one can try to step in and define where the line is.”
While measuring risk is critical to any credit union, Cooley said it’s his view the most important component of CAMEL is credit quality.
“But most resources are put toward BSA and IT,” he said.
Another common failing is ERM can be misconstrued with internal audit, Cooley told the meeting.
“Often, people commingle the two. Internal audit manages the controls for your credit union and ERM looks forward to make sure they are done properly,” Cooley said.
What’s critical in the process is the supervisory committee within credit unions, according to Cooley. He noted the perception is that supervisory committee members are similar to boards and serve for long periods of time. But that’s not the case, he said, saying the average time spent on supervisory committees is three years.
“An active supervisory committee is constantly prodding management to make sure they stay in line,” said Cooley. “I like to see a healthy sparring between the supervisory committee and management to make sure the credit union is operating in a safe and sound manner.”
Three Aspects of ERM
Cooley offered definitions around three aspects of ERM, including:
- What is risk? “Risk appetite can be defined as the amount and type of risk an organization is willing to take in order to meet their strategic objectives. Management and board must first agree on risk appetite, otherwise one or two individuals drive an organization,” he said. “It’s about measuring all the decisions you make on the impact back to your earnings and capital.”
- What is risk tolerance. “It’s the degree of variance from the organization’s risk appetite that the organization is willing to tolerate.” Cooley shared half in jest how a credit union did an MBL 20 years ago on which it lost $500 and has never done an MBL again, even though it was just one type of loan. The result at many CUs: One bad experience reduces risk appetite for all types of risk.
- Risk capacity is the amount of risk an organization can actually bear. “This is an important concept because risk appetite must be set at a level within the capacity limit. Capacity needs to be considered before appetite.” As an example he cited credit unions that stick with A and B paper only and show no risk appetite, even though they have the skills and capacity to go deeper.
Cooley said most credit unions handle risk functions disparately across the organization by individual business units. Risk factors are limited to business continuity, IS, financial and compliance within business silos.
But credit unions that are more effective in applying ERM apply a comprehensive framework where risk functions are handled tightly integrated with strategic business and decision-making, he said. Risks are aggregated by risk type, and it’s part of the strategic planning framework. “The board and the staff has a strong understanding. Risk measures are calculated across the organization.”
Underpinning all of the discussions around ERM is governance, according to Cooley. “From a governance standpoint, who should really be setting the strategic direction of the organization? The board. A lot of times that can be misconstrued. We cannot allow the board to abdicate that responsibility.”
As part of governance Cooley recommends conducting a risk survey of board and senior management that asks, “What type of appetite do you believe decision-makers throughout the organization currently exhibit in the way they set direction, take decisions, and monitor performance?” Those surveyed are asked to answer those questions as follows: open, flexible, cautious, minimalist, or averse.
“The responses then used to determine risk appetite and strategic direction,” said Cooley, stressing, “A risk appetite statement is not a mission statement, nor is it an exercise or a static, unchanging plan.”
An Overlooked ERM Issue
Cooley said there is one aspect of ERM that is often overlooked, and he described it as “near and dear to me.” That issue: Talent Risk Appetite.
As an example of a Talent Risk Appetite statement, Cooley suggested, “We strive to establish and maintain a talented workforce, especially through the professional development and retention of high potential employees.”
That statement must be accompanied by a Talent Risk Tolerance Statement, said Cooley, citing as an example a goal of a retention rate of high-potential employees of at least 90%.
“If that is not happening, you must ask yourself what is leading to the brain drain. A brain drain increases risk inside an organization,” said Cooley.
ERM & CECL
While many credit unions may say they will never engage in such extensive ERM, Cooley said they will have no choice due to CECL, which requires the kind of look forward ERM provides.
“We’re not going to be able to continue to kick the can on ERM,” he said. “Risk appetite affects strategy, budget, credit origination, new products, compensation, capital allocation and portfolio management. It’s a pervasive concept.”